Çú·â¤¹¤ë-Íò¡¿½±·â¤¹¤ë

Abstract: Triton is a dynamic binary ʬÀÏ library. It ¶¡µë¤¹¤ës ÆâÉô¤Î ¹½À®Í×ÁÇs that µö¤¹ you to build your program ʬÀÏ Æ»¶ñs (¾ÝħŪ¤Ê, taint, ¹çÀ®, etc.), ¼«Æ°²½¤¹¤ë µÕž¤¹¤ë ¹©³Ø, À®¤·¿ë¤²¤ë ¥½¥Õ¥È¥¦¥§¥¢ Ω¾Ú or just emulate i386, x86-64, ARM and AArch64 code.

Abstract: Just another (unfinished) kernel from scratch... At first I didn't ·×²è¡Ê¤¹¤ë¡Ë on ²òÊü¡Ê¤¹¤ë¡Ëing this »ö¶È¡¿·×²è¡Ê¤¹¤ë¡Ë, but it's dying in a directory. This »ö¶È¡¿·×²è¡Ê¤¹¤ë¡Ë was just for understanding how the kernel ºîÉÊ and ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ës these ¤Ë°ú¤­Â³¤¤¤Æ features: Êݸ¤ëd Êý¼° 32 bits, Multitasking, Paging, Memory ÇÛʬ, Interrupts, Exceptions, Syscalls.

Abstract: This emulator was created for the CTF NDH 2012. Some challenges was on the NDH architecture. The NDH architecture is a new architecture which look like a mix between ARM and x86. The »ö¶È¡¿·×²è¡Ê¤¹¤ë¡Ë ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ës a compiler, a debugger and a »ö¼Â¾å¤Î machine.

Abstract: This Æ»¶ñ lets you search your gadgets on your binaries to Íưפˤ¹¤ë your ROP ³«È¯¡¿ÍøÍÑ. ROPgadget supports the ELF, PE and Mach-O Ƚ·¿ on x86, x64, ARM, ARM64, PowerPC, SPARC and MIPS architectures. It also ¿½¤·¹þ¤à¡¿¿½¤·½Ðs a dumb ROP-chain À¤Âå.

PhD ÏÀÂê¡¿ÏÀʸ, Grenoble, ¥Õ¥é¥ó, 2020. [french ÏÀÂê¡¿ÏÀʸ] [french slide] [bibtex]
Abstract: This ÏÀÂê¡¿ÏÀʸ work has been done in an »º¶È¤Î ´Ä¶­ where the main activities were µÕž¤¹¤ë ¹©³Ø for vulnerability ¸¦µæ and °ÂÁ´ ½êͭʪ¡¿»ñ»º¡¿ºâ»ºs Ω¾Ú on binary programs. The first part of this doctoral work ¾ÇÅÀ¡Ê¤ò¹ç¤ï¤»¤ë¡Ës on the collection and ³ôing of the »º¶È¤Î problems when ʬÀϤ¹¤ëing binary programs. Based on these ÌäÂ꡿ȯ¹Ô¤¹¤ës, a binary dynamic ʬÀÏ ÏÈÁÈ¤ß has been developed and ·Á¼°²½¤¹¤ëd. Real examples of use are then ¸½ºß¤Îd, such as the ¡ÊÈȺᡤɵ¤¤Ê¤É¤Î¡Ëȯ¸« of opaque predicates in »ÙŹ ¾ò·ïs. Finally, a new (a)¼«Æ°Åª¤Ê¡¿(n)¼«Æ°·ý½Æ approach for deobfuscation of binary code Êݸ¤ëd by virtualization is ¸½ºß¤Îd Ï¢¹ç¤µ¤»¤ëing features of the ÏÈÁÈ¤ß Æ±ÍÍ¤Ë as those of other Æ»¶ñs.

Talk at DIMVA, Paris-Saclay, ¥Õ¥é¥ó, 2018. [paper] [slide] [bibtex]
Abstract: ¥½¥Õ¥È¥¦¥§¥¢ Êݸî has taken an important place during the last £±£°Ç¯´Ö ¡¼¤¹¤ë¤¿¤á¤Ë Êݸ¤ë legit ¥½¥Õ¥È¥¦¥§¥¢ against µÕž¤¹¤ë ¹©³Ø or tampering. Virtualization is considered as one of the very best ÊÛ¸îs against such attacks. We ¸½ºß¤Î a generic approach based on ¾ÝħŪ¤Ê path õ¸¡, taint and recompilation µö¤¹ing to ²óÉü¤¹¤ë, from a virtualized code, a devirtualized code semantically Ʊ°ì¤Î to the ½é¤á¤Î one and ¤Î¶á¤¯¤Ë in size. We define ´ð½à and metrics to ɾ²Á¤¹¤ë the relevance of the deobfuscated results ¡¼¤Ë´Ø¤·¤Æ¡¿¡¼¤ÎÅÀ¤Çs of correctness and precision. Finally we Äó°Æ¤¹¤ë an open-source ÂÎÀ©¡¿µ¡¹½ µö¤¹ing to ɾ²Á¤¹¤ë the Äó°Æ¤¹¤ëd approach against several forms of virtualization.

Talk at SSTIC, Rennes, ¥Õ¥é¥ó, 2017. [french paper] [english slide] [french ¥Ó¥Ç¥ª] [bibtex]
Abstract: In this £Äè we ½Ò¤Ù¤ë an approach which consists to automatically ʬÀϤ¹¤ë »ö¼Â¾å¤Î machine based ¥½¥Õ¥È¥¦¥§¥¢ Êݸîs and which recompiles a new ¸«²ò¡¿ËÝÌõ¡¿ÈÇ of the binary without such Êݸîs. This ¼«Æ°²½¤¹¤ëd approach relies on a ¾ÝħŪ¤Ê »à·º¼¹¹Ô guide by a taint ʬÀÏ and some concretization À¯ºös, then on a binary rewriting using LLVM °Ü¹Ô.

Talk at CSAW SOS, NYC, USA, 2016. [slide]
Abstract: The first part of the talk is going to be an introduction to the Triton ÏÈÁÈ¤ß to expose its ¹½À®Í×ÁÇs and to explain how they work together. Then, the second part will ´Þ¤à demonstrations on how it's possible to µÕž¤¹¤ë »ö¼Â¾å¤Î machine based Êݸîs using taint ʬÀÏ, ¾ÝħŪ¤Ê »à·º¼¹¹Ô, SMT simplifications and LLVM-IR optimizations.

Talk at St'Àڤ곫¤¯¡¿¥¿¥¯¥·¡¼¡¿ÉÔÀµ¥¢¥¯¥»¥¹, Bordeaux, ¥Õ¥é¥ó, 2016. [slide]
Abstract: At this £Äè we will talk about how a DBA (Dynamic Binary ʬÀÏ) may help a µÕž¤¹¤ë engineer to µÕž¤¹¤ë obfuscated code. We will first introduce some basic obfuscation techniques and then expose how it's possible to break some stuffs (using our open-source DBA ÏÈÁÈ¤ß - Triton) like ¡Ê°­»ö¡¤ÈëÌ©¤Ê¤É¤ò¡Ëȯ¸«¤¹¤ë opaque predicates, ºÆ·ú¤¹¤ë CFG, find the ½é¤á¤Î algorithm, ¸ÉΩ¤¹¤ë sensible data and many more... Then, we will ·ëÏÀ¤¹¤ë with a ¥Ç¥â and few words about our ̤Íè work.

MISC magazine 82, 2015. [french article]
Abstract: Binary obfuscation is used to Êݸ¤ë ¥½¥Õ¥È¥¦¥§¥¢'s Ãμ±¿Í ½êͭʪ¡¿»ñ»º¡¿ºâ»º. There ¸ºß¤¹¤ë different Æù¿Æ¡¤¿ÆÎàd of obfucation but ³µÎ¬¤Ç, it transforms a binary structure into another binary structure by Êݸ¤¹¤ëing the same semantic. The ÌÜŪ¡Ê¤È¤¹¤ë¡Ë of obfuscation is to ³Î¼Â¤Ë¤¹¤ë that the ½é¤á¤Î ¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁʡʾõ¡Ë is "Å®»à¤¹¤ë" in useless ¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁʡʾõ¡Ë that will make µÕž¤¹¤ë ¹©³Ø harder. In this article we will show how we can analyse an ofbuscated program and break some obfuscations using the Triton ÏÈÁȤß.

Talk at SSTIC, Rennes, ¥Õ¥é¥ó, 2015. [french paper] [¾ÜºÙ¡Ê¤Ë½Ò¤Ù¤ë¡Ëd english slide] [light french slide] [bibtex]
Abstract: This talk is about the ²òÊü¡Ê¤¹¤ë¡Ë of Triton, a concolic »à·º¼¹¹Ô ÏÈÁÈ¤ß based on Pin. It ¶¡µë¤¹¤ës ¹½À®Í×ÁÇs like a taint engine, a dynamic ¾ÝħŪ¤Ê »à·º¼¹¹Ô engine, a snapshot engine, translation of x64 »Ø¼¨¡¿¶µ¼ø¡¿¶µ°é to SMT2, a Z3 interface to solve ¶¯À©s and Python bindings. Based on these ¹½À®Í×ÁÇs, Triton ¿½¤·¹þ¤à¡¿¿½¤·½Ðs the ²ÄǽÀ­ to build Æ»¶ñs for vulnerabilities ¸¦µæ or µÕž¤¹¤ë-¹©³Ø ±ç½õ.

Talk at St'Àڤ곫¤¯¡¿¥¿¥¯¥·¡¼¡¿ÉÔÀµ¥¢¥¯¥»¥¹, Bordeaux, ¥Õ¥é¥ó, 2015. [slide]
Abstract: This talk can be considered like the part 2 of my talk at SecurityDay. In the previous part, I talked about how it was possible to cover a Ūd µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö in memory using the DSE (Dynamic ¾ÝħŪ¤Ê »à·º¼¹¹Ô) approach. Cover a µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö (or its ÌÀ¸À¤¹¤ë¡¿¸øɽ¤¹¤ës) doesn't mean find all vulnerabilities, some vulnerability doesn't ¾×ÆÍ¡¤ÄÆÍîs the program. That's why we must ´ï¶ñ¡¿¼Â»Ü¤¹¤ë ÌÀ³Î¤Ê¡¿ºÙÉô ʬÀÏ to find ÌÀ³Î¤Ê¡¿ºÙÉô bugs. These ʬÀÏ are based on the binary instrumentation and the runtime ¹Ô°Ù ʬÀÏ of the program. In this talk, we will see how it's possible to find these ¤Ë°ú¤­Â³¤¤¤Æ Æù¿Æ¡¤¿ÆÎàd of bugs : off-by-one, stack / heap ¹¿¿å, use-after-²òÊü¤¹¤ë¡¿¼«Í³¤Ê, Ƚ·¿ string and {Îá¾õ, read}-what-where.

Talk at °ÂÁ´ Day, Lille, ¥Õ¥é¥ó, 2015. [slide]
Abstract: This talk is about binary ʬÀÏ and instrumentation. We will see how it's possible to Ū a ÌÀ³Î¤Ê¡¿ºÙÉô µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö, snapshot the ¾õ¶· memory/ÅÐÏ¿¡Ê¤¹¤ë¡Ës before the µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö, translate the instrumentation into an Ãæ´Ö¤Î Âåɽ,ŬÍѤ¹¤ë a taint ʬÀÏ based on this IR, build/keep ·è¤Þ¤êʸ¶ç¡¿À½Ë¡s for a Dynamic ¾ÝħŪ¤Ê »à·º¼¹¹Ô (DSE), À¸À®¤¹¤ë a ¸Ç¤á¤ë¡¿¥³¥ó¥¯¥ê¡¼¥È value to go through a ÌÀ³Î¤Ê¡¿ºÙÉô path, ²óÉü¤¹¤ë the ¾õ¶· memory/ÅÐÏ¿¡Ê¤¹¤ë¡Ë and À¸À®¤¹¤ë another ¸Ç¤á¤ë¡¿¥³¥ó¥¯¥ê¡¼¥È value to go through another path then repeat this Áàºî¡¿¼ê½Ñ until the Ū µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö is covered.

Course lecture at Bordeaux University, ¥Õ¥é¥ó, 2014. [slide]
Abstract: This course lecture is about an introduction to the return oriented programming and its variants like JOP, SOP... It also ½Ò¤Ù¤ës some techniques and active ºîÉÊ about ROP-chain À¤Âå based on backtracking or ¾ÝħŪ¤Ê »à·º¼¹¹Ô.

MISC Magazine HS-09, 2014. [link]
Abstract: This article is about an introduction to the return oriented programming. In this article we ½Ò¤Ù¤ë the Operating Systems' Êݸîs in ¾ÜºÙ¡Ê¤Ë½Ò¤Ù¤ë¡Ë and explains why the ROP ³«È¯¡¿ÍøÍÑ is useful. We also ¶¡µë¤¹¤ës a detailled step-by-step example of the ROP ³«È¯¡¿ÍøÍÑ on the CVE-2011-1938 vulnerability.

Talk at LSE Summer Week, Paris, ¥Õ¥é¥ó, 2013. [slide]
Abstract: This talk is about an introduction to the concolic »à·º¼¹¹Ô using Valgrind and Z3. Concolic »à·º¼¹¹Ô is a technique that uses both ¾ÝħŪ¤Ê and ¸Ç¤á¤ë¡¿¥³¥ó¥¯¥ê¡¼¥È »à·º¼¹¹Ô. In this talk we introduce a little Æ»¶ñ which breaks a dumb crackme.